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(57) Abstract 

In an interactive broadcast system, signals transmitted by a service provider (30) arc passed via a gateway (12) to a subscriber terminal 
(2). In order to gain access to services, the subscriber terminal (2) transmits an authorization request message via the gateway (12) to 
the RADIUS server (18). This RADIUS server (18) transmits in response to the audiorization request message an authorization challenge 
message to the subscriber terminal (2). In return the subscriber terminal responds to the challenge message with a diallenge response. This 
challenge response is checked by the RADIUS server (18) and, if correct, the RADIUS server (18) transmits a message to the gateway to 
give the subscriber teimmal access to die service. 
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Broadcast network with interactive services. 



The present invention relates to a broadcast network comprising an information 
server coupled to a plurality of subscriber stations for transmitting broadcast signals to the 
subscriber stations, the broadcast network further comprises a return channel for transmitting 
information from the subscriber terminal to an headrcnd, the broadcast network further 
5 comprises authentication means for authorizing the access of the subscriber terminal to 

interactive services 

The present invention also relates to a subscriber terminal, a gateway and a 

method. 

A broadcast network according to the preamble is known from ETS 300802, 
10 Digital Video Broadcasting (DVB); Network independent protocols for DVB interactive ; 
services, EBU/CENELEC/ETSi-JTC. November 1997. 

Presently, interactive services are introduced in several types of broadcast 
networks, such as DVB-Satellite. DVB-Cable and DVB-Terrestrial. For enabling these 

interactive services, a return channel has introduced in order to transmit information from a 
15- subscriberterminaltoahead-eiwi.-Theinformalioii5ejyerc.§n.bepre^^^^ 

may also a remotfe Server wWchis. connected to th# head^end. The subscriber terminal can e.g. 

be a set top box or acabl&modem*,Therreturn channel cai>,fep a conn^^^^^ 

,Switched telephone Network, via a Cable return channel or eypn a satellite retu^ ^hannel. 

An opei^tOf Of the formation server ' _ 

00 authorization and.s«bst5^A<biIl4g of users usinrthimfonnation server, In presem sy^erhs 
... • 'this authorization is-done -using th'e Point to Point Pipt^ol (P?P) which is described in RFC 
. '.1661 and RFC 1994VipP?is;iiot suitable for providing for axithentication an^ autjiorization for 
^ -Afferent services, becmis^ifP My provides for auft^Ucatibn and authorization,of a i.. 
communication link. ^ ' - ^ 



25 



1 : 



The objeilt of^the present inventioiitis ^'provide a broadcast network according 
to the preamble in which^aujhorization and authentication for multiple services^is possible: 
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To achieve said objective, the broadcast network according to the present invention is 
characterized in that the subscriber terminal comprises authorization transmitting means for 
trahisniitting authorization ieque.^t m^sages to an^authorization server, the authorization server 
being arranged for checking the entitlement of the subscriber to services to be provided by the 
5 ' ihforination server, and in that Jhe authorization server is arrang^ed for enabling the subscriber 
to access said services. 0' : , .... 

r By introducing the authorizatipn u^ 
and adding authorization set^er/^p. which prequ messages can be sent. The authentication 
server then requests an authentication message from the subscriber terminal. After the identity 
10 of the subscriber and the entitlement to the requested service has been verified, the 

authorization server enables th^nse of said services by said subscriber terminal. The above 
prdeess can be carried oufefor each diffg^ 

' ' It isxDbserved,that in RFC 213,8 the, so-called radius protocol is disclosed. In this 

protocol, the authorization transmitting means aiie^jiot included in the subscriber terminal, but 
15 they are present in the serventawhich ^i^hscrijb^r log? on fojc accessing the service. 
: I r ; .,a;An embodiment pf |herBres^n|jjyjenti^ in that that the 

■ infonnatidn server is. couple!4jtp, th^ .subs^ and in that the 

authorization server is arranged for eii^jblinig the subscriber to access said services by 
transmiftiifg a message-to the: gatewa said subscriber access to said services. 

20 ' ' * - ' An easy way of enabling access to.the services is to sent a command message to 

a gateway informing the gateway that .certsun services for the authorized subscriber stations 
' ' have to be passed: This gate\vay cap be present in the head end. 

:A furthet embodimem of the invention is characterized in that said message 
comprises ihfonnatibri about at least p^ from which IP packets are passed 

25 to the subscriber stations \ . . . > . 

^ ' A suitable way to, enable sepices is to. infonn 
' having a paiticulafidestinationraddress have tabe p.f^sed to the subscriber terminal which has 
requested. In some systems it will also be needed that I^ packets froni the subscriber terminal 
is'passed io ^ host with. a particular destij^atipn addiress. This destination address may be the 
30 ' * sanie as the source' address, but, this is npt a necessity, 



The present invention will now, be explained with reference to the drawings. 
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' Fig- - I shows a h\^k (tiagrahi- of the coiruriunication. network according to the 

invention. j 
■ Fig. 2 shbWs a i)rotbcol stSck tb'be'used iB'i subscriber *emiinal. according to 

the invention. . 

fe:3 sTiow a ni,w-diagraii of a^uecessftil attempt of a,spbscnber terminal to 



Fig 



access 



services provided by the information server 30. r - " • • • 

■■ 'Fig: 4 show a flow diagram of ^failing attempt of a subscriber terminal to 
s services providbtfbythtiin^^ ' .::....!. 



access 



• ■ ' - ■ ' in the broadcast netWdfk atcbrding to Fig. 1; a subscriber terminal 2, which can 
be a set top box (STB) or . mb'di&nvis'cbnnected via two logical channels 3 and 4 of a 
Slybrid Fibe^ C<i^'h^tw^>ri^«i^a gateway 14 (Br<i^cast Network adapter) and to a gateway 12 

' • --^^ ^ m\8^dmM is-^^^ttldireoional broadc^sfcchanj^^^ is pait of 

Tiuy&^r^i^i^yiim^y^'^'^^ '^""""^ 

' ], ,^.dr.^^.mikc^^ lOThis second 

looicaf channei is u^MfC^ini^^ Pi^s^ & is^ed by a r^". interaction path 
and a forwara interaction^ath.^Tfte forwarff interabtioapath maybe embedded into tht 
broadcast channel. It is poss^lfe thatHhef^r^atKTpath of the interaction channel is.ot required 

- in^ som; Simple impletn^^^^^^^^^^ 
Physically, the bro'^^asiing d^fiVeVy WkWork and interaction network an. laid over one HFC 

^ network U. y'si%'h^ one 1^¥'^^<^^^^ 

the IntfeUction^fletwofk'AdapteFidNA) L2:.impl.ements the, functionality of a 

Network Access Server (NAS) for allowing the subscribe, tenninal 12 iSTB or Gable Modem) 

•to access an IF neti^bfk'l&ove^We HFC network' &.'It:embeds the interactive (IP) data m the 

interaction chantieri-^ThV^rSadcast N^tWdtkAdaptc^BNA) H prn^s the (IP) data m the 

' . ti H .••2!.'-. .'iv, - • . '■: .;. .- . 

broadcast channel 4. j 

" •'• A'6coi^^g t6 fifii^^s^ inVdi^w authorization s«vei848..20 and 22 are 
connected to the IP n6tw6rlt i6.-n.e'se ^^horization. servers will further.to,be referred to^ 
RADIUS servers, because they operate according to the RADIUS protocol (RFC 2138). The 
subscriber terminal 2 transmits an authorizauon request message via the INA 12 to one of the 
■ " RADIUS senders 18, 20 and 22. These RADIUS servers transmit an access challenge message 
to the subscriber terminal 2 in order to check the identity of the subscriber terminal. In 
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response to said access challenge message, the subscriber.tenninal 2 transmits a second access 
fbquest message which cairies -a r^sponserto the challenge mjpssage to authenticate itself. If the 
informatiori Carried by the secondvaceesS|request message is. regarded as correct, the RADIUS 
- server subiriits cdhfiguratioainfomajipn to the INA (or BN A) necessary to deliver the service 
'5 to theSTBinqiiesticfn. . - f' ? p i. - , ; . . , 

^ 'Optionally, a RADJUS; server can, act as a prox>^ client to other RADIUS 
■ servers or other kinds of authentication servers. This can |?e seen in Fig^ 1, by the connection 
of further radius servers 24, 26 and 26 to the radius server 18. 

10 As explained above, authentication, authorization 

th6 RADIUS pr6tbCol as this is the. standard for authentication, authorization and accounting 

within the Internet community. RADIUS supports authentication, authorization and 

accounting on'a per session basis. Fur^^pnpre different applications running in par^lel are 

- supported, because eac^ application .c;.an ini,tiate,,^ej^ansrniss^ transmission of requ^t 

15 mfess^sfes to a'RADOUS serveniAlso <g<ferent accpunting.policies.e.g. one for web-browsing 

; - "^diiiotfier fwlP-^elcphony 'canbe/su^ortpd,J^^ R APIUS server can transmit 

different configuration messages to the INA 12,and/or.E|NA 

■." ' ■ = Dae to the present'of diffe^ient-RADJUS 

ASP does its own authentication, authorization and accounting. 
20 '■ The archileciareshalUlIpw STB's.which doesn't contain ifunctionality for this 

architecture to enter the cablcrnetwork; However,. security measures shall be taken that they 
can not access (accountable) services for which they have to be authenticated and authorized. 
The architecture is secure i.e. users can not, circumvent authentication, authorization and 
accounting e.g. by 'haclang^the^STB-,or-eable J^pQde^^ information can 

25' be stored ori a secure sinart-card.; , ■ ; r. 

The proposal is to add RADIUS functionality to the Set-Top-Box and Cable 
^Modbm i.e. it looks like a RADIUS client.is_built into, the STB or CM. This can be done by 
Adding RM)lUS functionality to the^STB and. CM middle ware. 

The STB RADIUS client present in the subscriber terminal 2, communicates 
^0 'With a RADIUS proxy inside the INA,42 which on ijs turn communicates with the RADIUS 
sefver 18; 20 or 22 of the ISP or ASP in question. The BSA 12 includes an IP filter and 
' functionality for accounting: ; : , ; : j ; 



r • 
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• The subscriber tenmnal2-UseS'a^SmartCard .which contai^^^^^ 
password an^ a CHXp Secrecy* At set-ujp of the connection, this infection is used to 
authen^cate and aiiriiori& tiie subscriber-t6nhirial.2 by the RADIUS seiner 18. 20 or 22. 

' ' Their^X 12 contains a RADIUS security mo^le f or securing %connecti^^ 
with the RADIUS server. The RADIUS security module is used (p add to^ach RADIUS 
message a cryptographic message digest-or^e payload Of the message, so that the RADIUS 
server 18? 20 or 22 can verify that the Message is generated by. an authorized I^I A and not 
tampered with. "' • . ■. • - . ... - -uv- -,7.. 

The data base of the RADIUS server contains for each subscriber terminal, the 
ID. password'arid ChXp security d^ta' Stbredon the SmaitCard. Furthermore, it contains for 
each INA tlie RADIUS seiitirity dit^ foV authenticating the RADIUS messages coming from. 

the INA in question and vi<i"e versa. • - • . ' - " 

- TheRAbltjs'biieHtihWftHeSTBiimpl^^ 
R/injSautheritfcatiOri: aut^^^ inS aedouriting. It js cabbie otggi^era^ng and 
handling ail ikl!)iuS%g^^^^^ 

Challenge ^?ti.e aeeoMhg'irifeSS^«rsjiAcG(«mting.Reque8t|an^ AccgW^rig-Respgnse plus 



the necessary message' attributes; 

' • " RADIUS messages-Mil 

the STB and INA. - ' : • 

' the subscriber terminal :2knows:theIP^^a^^^^^ 

' ^foraGthorizi^tion^authenticatiotf ancfa^^^^^ 
'broadcast addiiss: 255:255.'255^^'5 and the RADIUS proxy of thelNA^^ in the IP 
• address'^of^the dkaiilt R>jDIUSseWer: (RADIUS, uses the well know number 1812 

- for RADIUS aiith^ticatic^' and^uthbrii^t^on^^^ '^^^ 
RADIUS message attribute: 'NAS-Port' can beiased to addr^s tlie dif^^rent applications 
running in the suba:nber 'terminal -i^^^^^^^ ^ 

- ^-The RAlJiUS^message'attribiifet 'NAS^IP-A,4dres^', is used to inform the 
designated RADIUS -sen.ef of:tfie#-addiess of.the.RADIU.S,elient.pp^pt in the subscriber 

termmal 2. ■ m 

' " ' ' Fig. 2 shows the prbtocofstack to be; implemented ^ the subscriber terminal 2. 

Below the application layer 32V^fie RADIUS tlient layer 36 is present. T|.is RADIUS layer is 

placed on top of the UDPn^CP layers 38 and 40. It can be part of e.g. a .^lpdiaaghWay 

adaptation layer 34. More than one application in the subscriber terminal 2 can make use of 

the RADIUS functionality, so that for each application a RADIUS session can be executed i.e. 
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authentication; authorization accQunting can be done. Below the TCP or UDP layer, the IP 
layer and the MAC layer are present., . .^ 
> •: :. fothe.flowgcM^^cc9r#^'to'Rg! 3;theintCTa^on8.needed-forauthenticating. 

aiithorizing.andacoouiiting. bptw^the ^Hbap^^J^nai 2. the mA 12^the RADIUS 

5 server are shown. 

-. This sequence is executed after a STB has successfully ^M^^^ 

• • layer in step 56. In step 5 S.the subscriber te:gni^^ 

INA 12 in order to obtain an IP address. In step 60, the INA 12 replies by transmitting DHCP 
reply message containing an IP address to be used by the subsc^^ 
10 in order to access,aservipp4he subscriber tem^^ 

^ • request message to the IN A 1.2 mstep 62; In step 64 tKe IN A 12 fbrwardk this request message 
■ ■■■ to the appropriate RADIUS s§ryer e,g. J8,In response to said RADIUS acfc^^^^ 

message, the RADIUS server transmits step 66 a RADIUS challenge message to the INA 
•- 12; which passesthismessag^mstpee^to^^^ 
^ 15 ' subsi^nberrtennihal 2repliesin,raJ0,w* ^ *e WA 12. step 72) a RADIUS 

'■^ ^ ' kdcfess nSquest message contaimng^the^^IUS challenge response to the RADIOS server 18. 
' • ' * oThc RADIUS server. 18 checks the challenge response message andif the 

challenge response is correct,: the 

• - actept message. This^R^DJUS access nics.«igc sisals the iNA' 12 and. in step 76, the' 
■ 20 subscriber terminal 2 that this subscriber terminal , 2 is given access tb the requested service. 

Before the requested service is started, the subscriber terim^ 
■ 78 and iSG a RADmSaccou^ntingrequest message via^^^^^ 
^ - ■ ^?der to turn m thevaccouming f6r;the requested ser^ce: The RADIUS server 18 will respond 
" ' In step 82 by transmitting aRApKJS acc^iinting response message to the INA 12. This 
05 message will adjust the -IP-filter 84.of the.mA 12 in such way that the IP-datagrams of the 
^ requested ief^^ice can be forwarded Ijy me m 
' INA 12 forwaiHte the RADIUS accountip^^^^ 
•response to iHe RADIUS accounting response message, the subscriber terminal 2 starts the 

service. - • '.'v'. 'liA.. < .-^.^ --^-^ "--^ - r.r^ ■ . . ., 

30 When the requested service has finished, the su^swiber terminal 2 transmits in 

^ si6ps 90 and 92 a RADIUS accounting request mew^^^^^ 
' tci tHeRADmS server 18. The RADIUS serye^^ 
RADIUS accounting response 94 which is transmitted to the INX 12 arid which is passed as 
message 98 to the subscriber tenninal. When the RADIUS accounting response is received by 
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Ae mA i2 from the rXDIUS server 12; the Mter is adjusted in such way that the IP 
datagrams of the service in question is blocked by the-IPFA.. .; .ci..,: 

It is obsen^ed that tie aiidVe Wbnty aii example of ^h^^ 
the STB. li^A and RADIU^ ^ be done. Many variations^can l,e.intrpduced on this 

. ' f! . a. ■ • 

sequence. 

' Theriowgraphaci6taihgWF.g;4sh^ 



fjt\. 



tcnninal 2 is rejected: ' -a- -x 

TT^estepsuptoaiidiiiclud^^^ 
^0 When 'ihe challenge response tra^yinitted by the subscriber terminal is not correct, the 

I^IUS server repL^With ^RADIUS «^ss reject massage IQO which is transmiued to the 
",IN^ 12 and pasid\o the ^scriberler^h^ 2 ^ .i^atth6 INA 12 and the spbscriber 

ienninal2 is not aiilbwedV6accei^ "''^ 
" ' ••"After'SS'&'&Wfesttiter 

15'^.be^handyfbrthetsl^^^ 

x^ple ^euS^aT^^iy^Si^^^^^tif^ 

i V-c:;; ■ .:■,...], « i jf j.in4-,4,T,v the "Do" and "While Not 

permissions. Thisrepeatedre-tnesareindicat^«nRg*>iyn« i~ 

Accepted" bl-ilis iS^4d Mr XKhgas aciess^f *8 sub«^tenni!!a(.2 is not 
' au.honze4"il.e Iplfaf^ffiside ih?riNA WHI bleckipassinginJornatiq„fro,n^*einfom.at.on 
20 , piovidLr 30 to the subscriber .^rtei.ia>2.'Kisb passing of intema,ion from *e su^pnber 
.'./..tenninal^tptheinforiiiMon'liite^^ - 

■ ■ ■ WU. orify tht Pf^'^i^^ 

- ^ Funhermore, the accoCStin^ irfiiirin t-PP is *. San,e for.ll ,ypes.pf se^c^s i.e. i, can no. 

suppon i;ffe™ii^a^nii«>*«^ fcr'«ft.&enr«rvic«a« *9 <^^t-IP architecture, the 
% authenticaiibn; af*Km'&n afed'SicdurfUng-ein-ta^^^ m s^yice basis. 
' " iV"singtoit-^.h«riJ'6y<Wrtg«coun,i.«,oupi<teA^ 

' ,„hi,;c.u.',sWpe2.ed'feK^&^i;Wuser^c»«'->-«^"'^-^^^ 

anda:coun.ingbyWingSn--|T,Jfriy''§r^^ . 
5TB-s,Thf IP-niter will be contn>lled by the RADIUS messages from fte RADIUS server m 

.30 , quesnon. .^^^^^^ .^^j.^-.,^^ ,„pp<,„ h„„pge^^^ 

, ■ modemsand STB-s Jriin P^es.' Ki.observed.a,at mi^ Foposed a«hi.ec«« also 



works with PPP _ 
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Acronyms 
ASP 
BNA 
CM 

CRC . , 

HFC ,-. ,. 
• INA . 

ISP 

. MAC ;. - 

RADIUS 

STB 
TCP 

, XJDP: > . 



Access Service Provider. 
Broadcast Network Adapter. 
Cable Modem. 
Cable Return Channel. 
Digital Video Systems. 
Hybrid Fiber Cpax. 
Interactive Netwoiic Adapter. 
Internet Protocol. 
Internet Service Provider. 
Medium Access Control 



Radio Frequency. 
Set Top Box. 
Transfer Control Protocol 
User Datagram Protocol. 
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CLAIMS: ../.I 

1. Broadcast network comprisirig an information server coupled to a plurality of 
subscriber stations for transniitting broadcast signals to the subscriber statidns, the broadcast 
network further comprises a return channel for transmitting information from the subscriber 
terminal to an head-end, the broadcast network further comprises authentication means tor 

, 5 authorizing the access of the subscriber terminal to interactive services, characterized in that 
the subscriber terminal comprises authorizatibn transniitting means for transniitting 
authorization request messages to an authorization server, the authorization server being 
arranged for checking the entitlement of the subscriber to services to be pfovided by the 
information server, and in that the authorization server is arranged for enabling the subscriber ^ 

10 to access said services. ^ - 

;l^^.;^'>■»"i [ojao'./ ^J^'VT , 

2. Broadcast network according to claim 1, characterized in tlid?the information J 
server is coupled to the subscriber terminals via a gateway, and in that the authorization server 

is arranged for enabling the subscriber to access said services by transmitting a message to the ,^ 
1 5 gateway to grant said subscriber access to said services. 

3. Broadcast network according to claim 2, characterized in that said message 
comprises information about at least one source IP address from which IP packets are passed 
to the subscriber station. 

20 

4. Broadcast network according to claim 2 or 3, characterized in that said services 
arc transmitted using IP packets, and in that said message comprises information about at least 
one destination IP address to which IP packets from the subscriber station are passed. 

25 5. Subscriber station for receiving broadcast signals, said subscriber stations being 

arranged for transmitting information via a return channel to a head-end, characterized in that 
the subscriber terminal comprises authorization transmitting means for transmitting 
authorization request messages to an authorization server, the subscriber further being 
arranged for receiving authorization messages from the authorization server, and in that the 
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subscriber station is arranged for requesting services from the head-end after receiving a 
positive authorization message. 

6. Gateway for passing information from an information server to at least one 

5 subscriber terminal, characterized^ in^^^that the gateway is arranged for passing authorization 
request messages from the subscrilber germinal to an authorization server, .aiid in that the 
gateway is arranged for enabling the subscriber to access said services in response to an 
authorization message received from the authorization server. 

10 7. Method comprising transmitting broadcast signals to at least one subscriber 

station and transmitting information from the subscriber terminal to an head-end, method 
further comprises authorizing the access of the siibscriber terniihal to available services, 
characterized in that the method comprises transmitting authorization request messages by the 
. subscriber terminal to an authorization server, checking the enjitlerhentpf the subscriber 

15 -terminal to services to be provided and in that the method comprises enabling the subscriber to 
access said services if the subscriber tcrminkl i^&ntitled. ] "II: 

\ \ ^ I \ 

8. Method according to clairh 7» characterized in that the method comprises 
transmitting information to the subscriber teniriinals^ vla a gateway, and in that the method 

20 ^ comprises enabling the subscriber to access said services by transmitting a message to the 
gateway to grant said subscriber access to said s^ -^-^ 

9. - Method aecordirig to claim 8, characterized in tfiat said message comprises 

" information about at Jeast one-source IP address from which IP packets are passed to the 

25 ' - subscriber station. - . ^ y • 

/ ' ; • I / - 

10. ^ Method Recording to claim.8 or 9,'^ch;arflLCt^erizgLd in that said services are 
transmitted using IR packets, and in that said message comprises information about at least one 
destination IP a^idress to which IP packets from tbe subscriber station are passed. 
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